Uber links to sensitive ride data now expire after 48 hours

When an Uber rider reaches his or her destination, the ride may be over, but information about it could live on through Google.

On Thursday, a site-specific search on Google for trip.uber.com
produced dozens of links to Uber rides that have been completed and
cancelled, in countries around the world including the U.S., England,
Russia, France and Mexico.

Each link leads to a Web site with a map showing the ride's route,
with the pickup and destination tagged with markers. A card on the page
also shows the first name of the rider and driver, along with the
driver's photo, make and model of car, and license plate number.

The map appears just as it might during the actual ride for the driver and rider on their smartphones.

If that wasn't troubling enough, the source code for each of these web sites, which is publicly accessible, reveals even more.

In the code, exact addresses for the pick-up spot and destination can
be found. So can the car's license plate and the exact date and time of
the ride.

By combining the information displayed on the map with data gleaned
from the source code, people could learn an awful lot about these riders
and drivers through other Google searches.

Tech news site ZDNet reported on the finding earlier on Thursday.

Links to Uber rides and associated data, viewable after a site search of trip.uber.com on Google.

In a statement, an Uber spokeswoman said, "This is not a data leak.
We have found that all these links have been deliberately shared
publicly by riders. Protection of user data is critically important to
us and we are always looking for ways to make it even more secure."

In 2013, Uber added a feature to its app to let riders share their ETA
with friends and family during the ride. With the feature, riders can
send a link, via SMS, to a live map that shows when they'll arrive at
their destination.

The links appearing in the Google results containing the ride data
were links that had been shared also on social media sites, and were
thus cached by Google, an Uber spokeswoman said Thursday.

Google includes tweets in its search results.

Mikko Hypponen, chief research officer at IT security company F-Secure, previously called attention to the matter on Twitter, with pictures of the Uber links and maps he had found on Google.

John Flynn, Uber's chief information security officer, in response, said the links were shared deliberately by users.

But even though the links may have been deliberately shared online,
users likely were not aware that they would contain sensitive data in
the source code, or that anyone could find them through Google.

Those revelations might raise new privacy concerns among some Uber
users. Some users might decide to stop using the share ETA feature,
while others who are sent the links might now opt not to post them
online.

Uber has previously faced controversy over its data policies, and the
level of access company employees have to individual riders' trip data.

Late last year, Uber brought in a Washington, D.C., law firm to
review its data policies, after attention had been brought to a
so-called "god view" tool that let employees view rider logs and trip
histories.

But this time, in the case of ride links shared online by users, it
might be Uber customers who find themselves having to perform a privacy
check of their own.

(Correction: An earlier version of the story misidentified the Uber
official who responded to Hypponen's tweet; it was John Flynn, Uber's
chief information security officer.)

Brand Post

Save up to $90! Great Deals on Norton 360 antivirus starting at just A$79.99 Get comprehensive protection with Norton 360 including Antivirus, secure VPN, a Password Manager, PC Cloud Backup, and more. All backed by 60-day Money Back Guarantee and 100% Virus Protection Promise.

PCW Evaluation Team

I have had the pleasure of owning notebooks from Dynabook’s predecessor Toshiba for both work and leisure in the past. Toshiba’s attention to quality of build and design of the notebooks is second to none. The re-branding to Dynabook and the launch of the new range was completed in early 2019. I am pleased to confirm that not only did Dynabook further refine what Toshiba has left off; they have set a new benchmark for the ultra-light notebook category.

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited. Copyright 2013 IDG Communications.
ABN 14 001 592 650. All rights reserved.